NotificationsYou must be signed in to change notification settings
Fork5k
Star17.9k

Commitd2e7d2a

committed

oauth: Disallow OAuth connections via postgres_fdw/dblink

A subsequent commit will reclassify oauth_client_secret from dispchar=""to dispchar="*", so that UIs will treat it like a secret. For our FDWs,this change will move that option from SERVER to USER MAPPING, which weneed to avoid.But upon further discussion, we don't really want our FDWs to use ourbuiltin Device Authorization flow at all, for several reasons:- the URL and code would be printed to the server logs, not sent over the client connection- tokens are not cached/refreshed, so every single connection has to be manually authorized by a user with a browser- oauth_client_secret needs to belong to the foreign server, but options on SERVER are publicly accessible- all non-superusers would need password_required=false, which is dangerousFuture OAuth work can use FDWs as a motivating use case. But for now,disallow all oauth_* connection options for these two extensions.Reviewed-by: Noah Misch <noah@leadboat.com>Discussion:https://postgr.es/m/20250415191435.55.nmisch%40google.com

1 parent45363fc commitd2e7d2aCopy full SHA for d2e7d2a

File tree

6 files changed

+52

-0

lines changed

contrib
- dblink
  - dblink.c
  - expected
    - dblink.out
  - sql
    - dblink.sql
- postgres_fdw
  - expected
    - postgres_fdw.out
  - option.c
  - sql
    - postgres_fdw.sql

6 files changed

+52

-0

lines changed

`‎contrib/dblink/dblink.c`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3094,6 +3094,13 @@ is_valid_dblink_option(const PQconninfoOption options, const char option,`
`3094`	`3094`	`if (strcmp(opt->keyword,"client_encoding")==0)`
`3095`	`3095`	`return false;`
`3096`	`3096`
	`3097`	`+/*`
	`3098`	`+ * Disallow OAuth options for now, since the builtin flow communicates on`
	`3099`	`+ * stderr by default and can't cache tokens yet.`
	`3100`	`+ */`
	`3101`	`+if (strncmp(opt->keyword,"oauth_",strlen("oauth_"))==0)`
	`3102`	`+return false;`
	`3103`	`+`
`3097`	`3104`	`/*`
`3098`	`3105`	`* If the option is "user" or marked secure, it should be specified only`
`3099`	`3106`	`* in USER MAPPING. Others should be specified only in SERVER.`

`‎contrib/dblink/expected/dblink.out`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -898,6 +898,17 @@ CREATE USER MAPPING FOR public SERVER fdtest`
`898`	`898`	`OPTIONS (server 'localhost'); -- fail, can't specify server here`
`899`	`899`	`ERROR: invalid option "server"`
`900`	`900`	`CREATE USER MAPPING FOR public SERVER fdtest OPTIONS (user :'USER');`
	`901`	`+-- OAuth options are not allowed in either context`
	`902`	`+ALTER SERVER fdtest OPTIONS (ADD oauth_issuer 'https://example.com');`
	`903`	`+ERROR: invalid option "oauth_issuer"`
	`904`	`+ALTER SERVER fdtest OPTIONS (ADD oauth_client_id 'myID');`
	`905`	`+ERROR: invalid option "oauth_client_id"`
	`906`	`+ALTER USER MAPPING FOR public SERVER fdtest`
	`907`	`+OPTIONS (ADD oauth_issuer 'https://example.com');`
	`908`	`+ERROR: invalid option "oauth_issuer"`
	`909`	`+ALTER USER MAPPING FOR public SERVER fdtest`
	`910`	`+OPTIONS (ADD oauth_client_id 'myID');`
	`911`	`+ERROR: invalid option "oauth_client_id"`
`901`	`912`	`GRANT USAGE ON FOREIGN SERVER fdtest TO regress_dblink_user;`
`902`	`913`	`GRANT EXECUTE ON FUNCTION dblink_connect_u(text, text) TO regress_dblink_user;`
`903`	`914`	`SET SESSION AUTHORIZATION regress_dblink_user;`

`‎contrib/dblink/sql/dblink.sql`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -469,6 +469,14 @@ CREATE USER MAPPING FOR public SERVER fdtest`
`469`	`469`	`OPTIONS (server'localhost');-- fail, can't specify server here`
`470`	`470`	`CREATEUSERMAPPING FOR public SERVER fdtest OPTIONS (user :'USER');`
`471`	`471`
	`472`	`+-- OAuth options are not allowed in either context`
	`473`	`+ALTER SERVER fdtest OPTIONS (ADD oauth_issuer'https://example.com');`
	`474`	`+ALTER SERVER fdtest OPTIONS (ADD oauth_client_id'myID');`
	`475`	`+ALTERUSER MAPPING FOR public SERVER fdtest`
	`476`	`+OPTIONS (ADD oauth_issuer'https://example.com');`
	`477`	`+ALTERUSER MAPPING FOR public SERVER fdtest`
	`478`	`+OPTIONS (ADD oauth_client_id'myID');`
	`479`	`+`
`472`	`480`	`GRANT USAGEON FOREIGN SERVER fdtest TO regress_dblink_user;`
`473`	`481`	`GRANT EXECUTEON FUNCTION dblink_connect_u(text,text) TO regress_dblink_user;`
`474`	`482`

`‎contrib/postgres_fdw/expected/postgres_fdw.out`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -196,6 +196,17 @@ ALTER USER MAPPING FOR public SERVER testserver1`
`196`	`196`	`-- permitted to check validation.`
`197`	`197`	`ALTER USER MAPPING FOR public SERVER testserver1`
`198`	`198`	`OPTIONS (ADD sslkey 'value', ADD sslcert 'value');`
	`199`	`+-- OAuth options are not allowed in either context`
	`200`	`+ALTER SERVER testserver1 OPTIONS (ADD oauth_issuer 'https://example.com');`
	`201`	`+ERROR: invalid option "oauth_issuer"`
	`202`	`+ALTER SERVER testserver1 OPTIONS (ADD oauth_client_id 'myID');`
	`203`	`+ERROR: invalid option "oauth_client_id"`
	`204`	`+ALTER USER MAPPING FOR public SERVER testserver1`
	`205`	`+OPTIONS (ADD oauth_issuer 'https://example.com');`
	`206`	`+ERROR: invalid option "oauth_issuer"`
	`207`	`+ALTER USER MAPPING FOR public SERVER testserver1`
	`208`	`+OPTIONS (ADD oauth_client_id 'myID');`
	`209`	`+ERROR: invalid option "oauth_client_id"`
`199`	`210`	`ALTER FOREIGN TABLE ft1 OPTIONS (schema_name 'S 1', table_name 'T 1');`
`200`	`211`	`ALTER FOREIGN TABLE ft2 OPTIONS (schema_name 'S 1', table_name 'T 1');`
`201`	`212`	`ALTER FOREIGN TABLE ft1 ALTER COLUMN c1 OPTIONS (column_name 'C 1');`

`‎contrib/postgres_fdw/option.c`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -348,6 +348,13 @@ InitPgFdwOptions(void)`
`348`	`348`	`strcmp(lopt->keyword,"client_encoding")==0)`
`349`	`349`	`continue;`
`350`	`350`
	`351`	`+/*`
	`352`	`+ * Disallow OAuth options for now, since the builtin flow communicates`
	`353`	`+ * on stderr by default and can't cache tokens yet.`
	`354`	`+ */`
	`355`	`+if (strncmp(lopt->keyword,"oauth_",strlen("oauth_"))==0)`
	`356`	`+continue;`
	`357`	`+`
`351`	`358`	`/* We don't have to copy keyword string, as described above. */`
`352`	`359`	`popt->keyword=lopt->keyword;`
`353`	`360`

`‎contrib/postgres_fdw/sql/postgres_fdw.sql`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,14 @@ ALTER USER MAPPING FOR public SERVER testserver1`
`213`	`213`	`ALTERUSER MAPPING FOR public SERVER testserver1`
`214`	`214`	`OPTIONS (ADD sslkey'value', ADD sslcert'value');`
`215`	`215`
	`216`	`+-- OAuth options are not allowed in either context`
	`217`	`+ALTER SERVER testserver1 OPTIONS (ADD oauth_issuer'https://example.com');`
	`218`	`+ALTER SERVER testserver1 OPTIONS (ADD oauth_client_id'myID');`
	`219`	`+ALTERUSER MAPPING FOR public SERVER testserver1`
	`220`	`+OPTIONS (ADD oauth_issuer'https://example.com');`
	`221`	`+ALTERUSER MAPPING FOR public SERVER testserver1`
	`222`	`+OPTIONS (ADD oauth_client_id'myID');`
	`223`	`+`
`216`	`224`	`ALTER FOREIGN TABLE ft1 OPTIONS (schema_name'S 1', table_name'T 1');`
`217`	`225`	`ALTER FOREIGN TABLE ft2 OPTIONS (schema_name'S 1', table_name'T 1');`
`218`	`226`	`ALTER FOREIGN TABLE ft1 ALTER COLUMN c1 OPTIONS (column_name'C 1');`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitd2e7d2a

File tree

6 files changed

6 files changed

`‎contrib/dblink/dblink.c`

`‎contrib/dblink/expected/dblink.out`

`‎contrib/dblink/sql/dblink.sql`

`‎contrib/postgres_fdw/expected/postgres_fdw.out`

`‎contrib/postgres_fdw/option.c`

`‎contrib/postgres_fdw/sql/postgres_fdw.sql`

0 commit comments